PA L O A LT O N E T W O R K S : PA - 2 0 0 0 S e r i e s S p e c s h e e t
PA-2000 Series The PA-2000 Series is a next-generation firewall that delivers unprecedented
PA-2050
PA-2020
visibility and control over applications, users and content on enterprise networks.
APPLICATION IDENTIFICATION: • Identifies
and controls applications irrespective of port, protocol, encryption (SSL or SSH) or evasive tactic employed.
• Enables
positive enforcement application usage policies: allow, deny, schedule, inspect, apply traffic shaping.
• Graphical
visibility tools enable simple and intuitive view into application traffic.
USER IDENTIFICATION: • Policy-based
visibility and control over who is using the applications through seamless integration with Active Directory, LDAP, and eDirectory.
• Identifies
Citrix, Microsoft Terminal Services and XenWorks users, enabling visibility and control over their respective application usage.
• Control
non-Windows hosts via webbased authentication.
CONTENT IDENTIFICATION: • Block
viruses, spyware, and vulnerability exploits, limit unauthorized transfer of files and sensitive data such as CC# or SSN, and control non-work related web surfing.
• Single
pass software architecture enables multi-gigabit throughput with low latency while scanning content.
The Palo Alto NetworksTM PA-2000 Series is comprised of two high performance platforms, the PA-2020 and the PA-2050, both of which are targeted at high speed Internet gateway deployments. The PA-2000 Series manages network traffic flows using dedicated processing and memory for networking, security, threat prevention and management. A high speed backplane smoothes the pathway between dedicated processors, and the separation of data and control plane ensures that management access is always available, irrespective of the traffic load. Interface density for the PA-2020 and the PA-2050 is unmatched with up to 20 traffic interfaces and dedicated out-of-band management interfaces. The controlling element of the PA-2000 Series next-generation firewalls is PAN-OSTM, a security-specific operating system that tightly integrates three unique identification technologies: App-IDTM, User-ID and Content-ID, with key firewall, networking, VPN and management features.
KEY PERFORMANCE SPECIFICATIONS PA-2050
PA-2020
Firewall throughput Threat prevention throughput IPSec VPN throughput New sessions per second Max sessions IPSec VPN tunnels/tunnel interfaces SSL VPN concurrent users Virtual routers Virtual systems (base/max*) Security zones Max number of policies
500 Mbps 200 Mbps 200 Mbps 15,000 125,000 1,000 500 10 1/6* 40 2,500
1 Gbps 500 Mbps 300 Mbps 15,000 250,000 2,000 500 10 1/6* 40 5,000
*Adding virtual systems to the base quantity requires a separately purchased license.
PA L O A LT O N E T W O R K S : PA - 2 0 0 0 S e r i e s S p e c s h e e t
NETWORKING Deployment • Modes Routing • Modes • Forwarding table size (entries per device/per VR) • Policy-based forwarding • Point-to-Point Protocol over Ethernet (PPPoE) NAT/PAT • Max NAT rules • Max NAT rules (DIPP) • Dynamic IP and port pool • Dynamic IP pool • NAT Modes • PAT- Unique destination IPs per source port and IP VLANs • 802.1q VLAN tags per device • 802.1q VLAN tags per physical interface • Max interfaces • Aggregate Interfaces (802.3ad) Virtual Wire • Max virtual wires: • Physical interfaces mapped to VWs Address Assignment • Captive Portal for Management Interface • DHCP server/DHCP relay • Max Addresses: 64,000 L2 Forwarding • ARP table size/device • IPv6 neighbor table size • MAC table size/device
PA-2050 PA-2020 L2, L3, Tap, Virtual Wire (transparent mode)
L2, L3, Tap, Virtual Wire (transparent mode)
OSPF, RIP, BGP, Static 5,000 / 2,500 Supported Supported
OSPF, RIP, BGP, Static 2,500 / 2,500 Supported Supported
1,000 200 254 16,234 1:1 NAT, n:n NAT, m:n NAT 2
1,000 200 254 16,234 1:1 NAT, n:n NAT, m:n NAT 2
4,094 4,094 2,048 Not Supported
4,094 4,094 1,024 Not Supported
10 Supported
10 Supported
Supported Supported up to 3 servers up to 3 servers 64,000 64,000 500 1,000 2,500
1,000 1,000 1,000
SECURITY FIREWALL
NETCONNECT SSL VPN (REMOTE ACCESS)
• Policy-based control over applications, users and content • Fragmented packet protection • Reconnaissance scan protection • Denial of Service (DoS)/Distributed Denial of Services (DDoS) protection • Decryption: SSL (inbound and outbound), SSH
• Transport: IPSec with SSL fall-back • Authentication: LDAP, SecurID, or local DB • Client OS: Macintosh, Windows XP, Windows Vista (32 and 64 bit), Windows 7 (32 and 64 bit)
USER INTEGRATION (USER-ID) • Active Directory, LDAP, eDirectory, Citrix and Microsoft Terminal Services, Xenworks, XML API IPSEC VPN (SITE-TO-SITE) • Key Exchange: Manual key, IKE v1 • Encryption: 3DES, AES (128-bit, 192-bit, 256-bit) • Authentication: SHA1, MD5 DATA FILTERING • Control unauthorized data transfer (data patterns and file types) • Drive-by download protection MANAGEMENT, REPORTING, VISIBILITY TOOLS • Integrated web interface, CLI or central management (Panorama) • Syslog and SNMPv2 • XML-based REST API • Graphical summary of applications, URL categories, threats and data (ACC) • View, filter, export traffic, threat, URL, and data filtering logs • Fully customizable reporting
PAGE 2
THREAT PREVENTION (SUBSCRIPTION REQUIRED) • Application, operating system vulnerability exploit protection • Stream-based protection against viruses (including those embedded in HTML, Javascript, PDF and compressed), spyware, worms QUALITY OF SERVICE (QOS) • Policy-based traffic shaping by application, user, source, destination, interface, IPSec VPN tunnel and more • 8 traffic classes with guaranteed, maximum and priority bandwidth parameters • Real-time bandwidth monitor • Per policy diffserv marking GLOBALPROTECT • GlobalProtect Gateway • GlobalProtect Portal • Client OS: Windows XP, Windows Vista (32/64 bit), Windows 7 (32 bit) URL FILTERING (SUBSCRIPTION REQUIRED) • 76-category, 20M URL on-box database • Custom URL cache database (from 180M URL database) • Custom block pages and URL categories
PA L O A LT O N E T W O R K S : PA - 2 0 0 0 S e r i e s S p e c s h e e t
HARDWARE SPECIFICATIONS
PA-2050
PA-2020
I/O (16) 10/100/1000 + (4) SFP optical gigabit (PA-2050) (12) 10/100/1000 + (2) SFP optical gigabit (PA-2020) Management I/O (1) 10/100/1000 out-of-band management port, (1) RJ-45 console port Power supply (Avg/max power consumption) 175W/200W (105W/120W) Input voltage (Input frequency) 100-240Vac (50-60Hz) Max input current 70A@230Vac; 35A@115Vac Rack mountable (Dimensions) 1U, 19” standard rack (1.75”H x 17”D x 17”W) Safety UL, CUL, CB EMI FCC Class A, CE Class A, VCCI Class A, TUV ENVIRONMENT Operating temperature Non-operating temperature
32° to 122° F, 0° to 50° C -4° to 158° F, -20° to 70° C
ORDERING INFORMATION
PA-2050
PA-2020
Platform
PAN-PA-2050 PAN-PA-2020
For additional Information on the PA-2000 Series software features, please visit www.paloaltonetworks.com/literature.
Palo Alto Networks 232 E. Java Drive Sunnyvale, CA. 94089 Sales 866.320.4788 408.738.7700 www.paloaltonetworks.com
Copyright ©2011, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN-OS 4.0, March 2011.